Platform

    Get real-time insights and automation for comprehensive, seamless monitoring with agentless architecture.

    Platform Overview
  • Infrastructure
    monitoring
  • Cloud monitoring
  • Digital experience

      • Solutions

      Whether you work in MSP, Enterprise IT or somewhere in between, the solution is clear.

      Solutions Overview
    By Inititive
    By Industry

      About us

      Get to know LogicMonitor and our team.

      About us
    Get to know us
    Connect
    Services

      Documentation

      Read through our documentation, check out our latest release notes, or submit a ticket to our world-class customer service team.

      View Resources
    Support

    Product Documentation

    Palo Alto Firewall Monitoring

    Last updated on 17 March, 2023

    Setting Your API Key as a Device Property

    Palo Alto firewalls expose a small amount of data by SNMP, but in order to get comprehensive monitoring it is necessary to also use the Palo Alto API. Therefore, you should ensure that SNMP is enabled and configured correctly on your device as well as set your Palo Alto API key as a device property in LogicMonitor.

    To get your API key and set it as a device property:

    1. This process can be initiated from the command line or browser:
      • From the command line, as detailed in the Palo Alto XML API manual, make a GET or POST request to the firewall’s hostname or IP addresses using the administrative credentials and type=keygen: 
        curl -k -X GET 'https://<firewall>/api/?type=keygen&user=<username>&password=<password>'

        OR

        curl -k -X POST 'https://<firewall>/api/?type=keygen&user=<username>&password=<password>'
      • From a browser, generate the key by entering the below URL into your address bar: 
        https://<firewall>/api/?type=keygen&user=<username>&password=<password>

      Note: Replace firewall, username, and password in the above URL with the appropriate values. Any special characters in the password must be URL encoded (your browser will most likely do this for you.)

    2. The result will be an XML block that contains the key. The key should be formatted similar to the following: gJlQWE56987nBxIqyfa62s23RtYuIo2BgzEA9UOnlZBhU.
    3. Copy the key value and use it as the value for a device property named paloalto.apikey.pass.

      Note: Ensure this property is set on all Palo Alto devices, including the Panorama management server. It is easiest to set this property at the root level of your LogicMonitor account; this allows the DataSources to connect via the API. For more information on setting properties, see Resource and Instance Properties.

    Troubleshooting: Discard Session

    In some cases, Palo Alto Firewalls allow SNMP requests from a Collector to a device, but block the response from the device back to the Collector. This is evidenced by a discard session on the firewall for the response packet (that is, discard UDP from device:snmp port -> collector:highport). This discard session would then block ALL subsequent SNMP responses from the device back to the Collector that are using the same port on the Collector, until a Collector restart or other event allows the discard session to expire (after no traffic for 30-60 seconds). This could potentially result in SNMP data collection issues where traffic from a Collector to its monitored devices flows across a Palo Alto Firewall.

    Possible workarounds:

    • Increase the Palo Alto UDP session timeout from 10 seconds to 30 seconds
    • Open bidirectional firewall policies such as:
      • allow collector:highports -> device:snmp
      • allow device:snmp -> collector:highports
    In This Article